Re: [suse-security-announce] SUSE Security Announcement: spamassassin remote denial of service (SUSE-SA:2005:033)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2005-06-22 at 17:05 +0200, Marcus Meissner wrote:
1) Problem Description and Brief Discussion
The anti spam tool SpamAssassin was prone to a denial-of-service attack. A remote attacker could craft a MIME E-Mail message that would waste a lot of CPU cycles parsing the Content-Type header.
This is tracked by the Mitre CVE ID CAN-2005-1266.
Only SUSE Linux 9.2 and 9.3 are affected, since they include the 3.x version of spamassassin. Older versions are not affected.
I noticed that you have upgraded to 3.0.4, and thus save me that work of manually upgrade. Thanks. But the scoring of this release (and 3.0.3 as well) is wrong: score BAYES_60 0 0 3.515 1.0 score BAYES_80 0 0 3.608 2.0 <---- score BAYES_95 0 0 3.514 3.0 score BAYES_99 0 0 4.070 3.5 Notice that the score for 80% is bigger than for 95%, for Bayes and no network tests, ie, 3.608 > 3.514 I noticed this because I manually edit bayes_99 to be 4.99 - but can I trust there is no other error in the scoring? I suggest that somebody with influence (ie, from SuSE) suggests the developers to add some automatic tests that impede this kind of congruences creeping in. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFCupMqtTMYHG2NR9URAgGyAJ0bLG0okVs/lE8iEKWYiA+b8CVnjACeJQQQ GF439GHuAV7jGcf3j+T3U0k= =xN0k -----END PGP SIGNATURE-----
I noticed that you have upgraded to 3.0.4, and thus save me that work of manually upgrade. Thanks. But the scoring of this release (and 3.0.3 as well) is wrong:
score BAYES_60 0 0 3.515 1.0 score BAYES_80 0 0 3.608 2.0 <---- score BAYES_95 0 0 3.514 3.0 score BAYES_99 0 0 4.070 3.5
Notice that the score for 80% is bigger than for 95%, for Bayes and no network tests, ie, 3.608 > 3.514
I noticed this because I manually edit bayes_99 to be 4.99 - but can I trust there is no other error in the scoring?
If you want to modify the scoring, you'd better do that in /etc/mail/spamassassin/local.cf (or another .cf file placed in that directory). This will override the preconfigured defaults once and for all, without the need for intervention after each update.
I suggest that somebody with influence (ie, from SuSE) suggests the developers to add some automatic tests that impede this kind of congruences creeping in.
Why don't you do this yourself? You can submit bugs on 'http://bugzilla.spamassassin.org' yourself and find out that you as a user can have influence too. Better yet, submit the code for the suggested test yourself. If it is any good, you'll likely find it back in the released version a couple of versions later. Best regards, Arjen
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Thursday 2005-06-23 at 14:20 +0200, Arjen de Korte wrote:
I noticed this because I manually edit bayes_99 to be 4.99 - but can I trust there is no other error in the scoring?
If you want to modify the scoring, you'd better do that in /etc/mail/spamassassin/local.cf (or another .cf file placed in that directory). This will override the preconfigured defaults once and for all, without the need for intervention after each update.
I know, I did that right after my email. But I was simply testing my changes the day previous to the update, so I did not bother to edit local.cf yest - not knowing that the update was so near hand ;-)
I suggest that somebody with influence (ie, from SuSE) suggests the developers to add some automatic tests that impede this kind of congruences creeping in.
Why don't you do this yourself? You can submit bugs on 'http://bugzilla.spamassassin.org' yourself and find out that you as a user can have influence too. Better yet, submit the code for the suggested test yourself. If it is any good, you'll likely find it back in the released version a couple of versions later.
Hah! :-) Because I'm no longer a coder... and I never programmed in Perl (except a bit, with external hand-holding), nor in Linux. Plus, I don't really know how SA works: I haven't seen a howto or full documentation. True, I haven't searched hard for it, as my browsing time is limited (modem + pay per minute). I'll have a look and try to find out who to email to. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFCuv6ttTMYHG2NR9URAnbHAJ4wqX6WQeRDuqQLkYqEq7gygPAlSwCeNPzx uONZ1Rg8MYw1q2LviBxngYw= =R5zx -----END PGP SIGNATURE-----
participants (2)
-
Arjen de Korte -
Carlos E. R.